Physical AI agents: OWASP coverage gap for robotic/actuator systems

[pshkv]

The toolkit covers the software agent security surface well. Opening this to discuss a gap that the current seven packages don't address: physical AI agents — LLM-driven systems that actuate in the real world via ROS 2, MAVLink (drones), industrial controllers, or embedded hardware.

Why physical agents require additional governance primitives

Software agents that go wrong can be rolled back. Physical agents that go wrong cause irreversible harm — a drone that arms without authorization, a robot arm that exceeds safe velocity near a human, a welding robot that actuates without human sign-off.

The OWASP Agentic Top 10 framework covers these conceptually but the enforcement mechanism is different:

OWASP Category	Software agent	Physical agent
Tool Misuse (OAT-05)	Block the API call	Block the hardware command before it reaches the actuator
Cascading Failures (OAT-08)	Rate limit HTTP calls	Cap collective kinetic energy Σ(½mv²) across a drone fleet
Privilege Escalation (OAT-02)	Scope check on API token	Velocity/force constraint in signed capability token

Specific gaps in the current toolkit

1. No physical constraint model — There's no equivalent of maxVelocityMps, maxForceNewtons, or geofence in the policy schema. Physical agents need these as first-class constraints, not just action allow/deny.

2. No environment-adaptive constraints — Static policy rules can't adapt to real-time sensor state. An obstacle at 0.4m should automatically cap velocity to 0.1 m/s regardless of what the token says. This requires a plugin interface that runs on every action, not a static policy file.

3. No tier-based irreversibility model — ARM + MISSION_START on a drone is categorically different from a sensor read. The governance layer needs to know that some actions are physically irreversible and require explicit human sign-off before execution (not audit after).

4. No swarm collective constraints — Per-agent governance doesn't capture emergent collective risk. A fleet of individually-authorized drones can collectively exceed safe kinetic energy limits.

What we've built as a reference

SINT Protocol is an open-source physical AI authorization layer that covers exactly this surface:

• Tier model: T0_observe → T1_prepare → T2_act → T3_commit mapped to reversibility + physical risk
• MAVLink bridge: 15 tier rules (ARM → T3, TAKEOFF → T2, camera → T0)
• ROS 2 bridge: topic-level capability token enforcement
• DynamicEnvelopePlugin: min(token.maxVelocityMps, obstacle_distance × reaction_factor) per action
• SwarmCoordinator: collective KE ceiling, minimum inter-agent distance, concurrent actor limit
• Evidence ledger: SHA-256 hash chain with TEE attestation (SGX/TrustZone/SEV)

950 tests across 18 packages.

Proposal

Happy to collaborate on:

1. Adding a physical agent profile to the OWASP coverage matrix
2. A PhysicalConstraintPolicy schema extension for agent-os
3. A reference integration between SINT's bridge-mavlink / bridge-ros2 and the AGT policy engine

Is physical AI in scope for the toolkit's roadmap? Would the team be open to an integration PR?

[github-actions]

Welcome to the Agent Governance Toolkit! Thanks for opening your first issue.
A maintainer will review this shortly. Check our Contributing Guide.
For security issues, use private vulnerability reporting.

[github-actions]

🤖 AI Agent: contributor-guide

Hi @pshkv, welcome to the microsoft/agent-governance-toolkit project! 🎉 We're thrilled to have you here, and thank you for opening such a thoughtful and detailed issue. It's always exciting to see first-time contributors bring fresh perspectives and expertise to the table!

Analysis of Your Issue

Your proposal highlights a critical and emerging area of AI governance: physical AI agents. The risks you outlined — irreversible harm, environment-adaptive constraints, and collective behavior — are indeed unique to systems that interact with the physical world. This is a fascinating and important topic, and your reference to the OWASP Agentic Top 10 framework provides a solid foundation for framing the problem.

Based on your description, here’s how the existing packages in the toolkit might relate to your proposal:

1. agent-os: This package seems like the most relevant starting point for your proposal. It handles the core policy engine and agent lifecycle, making it a natural fit for extending the policy schema to include physical constraints (e.g., PhysicalConstraintPolicy) and tier-based irreversibility models.

2. agent-mesh: If your proposal involves swarm-level governance (e.g., collective kinetic energy limits, inter-agent distance), this package could be extended to support the discovery and coordination of physical agents in a trust mesh.

3. agent-compliance: The evidence ledger you mentioned (e.g., SHA-256 hash chain with TEE attestation) aligns with this package's focus on audit logging and compliance frameworks. It could be a great place to integrate your work on evidentiary guarantees for physical agent actions.

4. agent-sre: While not directly related to your proposal, this package might benefit from your insights into chaos testing and reliability for physical systems, especially in multi-agent swarms.

Relevant Code and Resources

To get started, here are some key directories and resources that might be helpful:

• agent-os: The core policy engine is located in the /packages/agent-os directory. This is where you could explore extending the policy schema to include physical constraints.
• agent-mesh: For swarm-level governance, check out the /packages/agent-mesh directory.
• agent-compliance: The compliance and audit logging framework lives in the /packages/agent-compliance directory.
• CONTRIBUTING.md: Please review our contribution guidelines to understand the process for proposing and submitting changes.
• QUICKSTART.md: The quickstart guide will help you set up the project locally and get familiar with the codebase.
• Code of Conduct: We value a welcoming and inclusive community. Please take a moment to review our Code of Conduct.

Next Steps

Here’s how you can move forward:

1. Discuss Scope: Since this is a significant new area, it would be great to hear from the maintainers about whether physical AI governance fits into the toolkit's roadmap. You could also ask for their input on how best to structure your contributions (e.g., as extensions to existing packages or as a new package).

2. Draft a Design Proposal: Based on the feedback from maintainers, you could draft a more detailed design document outlining the proposed changes. This could include:

   • A PhysicalConstraintPolicy schema for agent-os
   • A high-level architecture for integrating SINT's bridge-mavlink and bridge-ros2
   • A plan for implementing swarm-level governance in agent-mesh
   • Any additional test cases or compliance requirements

3. Start Small: Consider starting with a smaller, self-contained PR — for example, adding a basic PhysicalConstraintPolicy schema to agent-os. This will help you get familiar with the contribution process and gather early feedback from the maintainers.

4. Engage with the Community: Feel free to ask questions, share updates, or seek feedback in this issue or on the project's discussion forums (if available). Collaboration is key!

We’re excited about the potential of your proposal and the expertise you bring to the table. Let us know how we can support you in moving this forward. 🚀

[imran-siddique]

Interesting gap analysis. Our current OWASP coverage focuses on software agents — physical AI (robotic actuators, sensor fusion, motor control) introduces unique governance requirements around safety boundaries, latency constraints, and hardware-software trust chains.

We'd welcome a contribution exploring how AGT's policy engine could be extended for physical agent governance. The kill switch and real-time SLO monitoring in agent-sre are the closest existing primitives. Also see #748 (nono sandboxing) which addresses OS-level isolation for edge deployments.

Labeling as enhancement.

[zeel2104]

Is it open for contribution?

[imran-siddique]

Yes, contributions are welcome! This is a feature request — feel free to open a PR with your proposed approach. Please review CONTRIBUTING.md for guidelines.

[zeel2104]

Got it. Thanks

[imran-siddique]

Interesting research direction! Physical AI agents (robotic/actuator systems) do represent a genuine OWASP coverage gap — our current threat model assumes software-only agents.

This would be a significant scope expansion. For now, labeling as enhancement for future consideration. If you'd like to contribute a threat model document for physical AI agent governance, that would be a great starting point for the discussion.

[pshkv]

Update on the SINT side since opening this — relevant to the physical AI governance gap.

Since this issue was filed:

• Test suite: 950 → 1,197 tests across 31 packages
• OWASP ASI01-ASI10 conformance fixture pack published (this week): 30 machine-readable test vectors + citeable mapping doc
  • https://github.com/sint-ai/sint-protocol/blob/main/docs/conformance/owasp-asi-mapping.md
  • https://github.com/sint-ai/sint-protocol/blob/main/packages/conformance-tests/fixtures/security/owasp-asi-conformance.v1.json
• Python SDK added: sdks/python/ with OpenAI Agents, CrewAI, AutoGen adapters
• Rust SDK added: sdks/rust/sint-client/
• bridge-iot: MQTT/CoAP interceptor with IoT device profiles (temperature-sensor, actuator, PLC, smart-meter)
• SafetyPermitPlugin: async hardware safety state resolution for edge deployments
• Hardware safety conformance KPIs: p99 targets (<10ms ROS2, <40ms permit handshake, <20ms e-stop)

Specifically relevant to the physical AI governance gaps flagged above:

The DynamicEnvelopePlugin and SwarmCoordinator are stable now. The maxVelocityMps and maxForceNewtons physical constraints are enforced inline in gateway.intercept() — not as post-audit filters. The SintHardwareSafetyContext struct (permitState, interlockState, estopState) flows from the IoT/ROS2 bridges into the gateway's hardware safety handshake.

The OWASP fixture pack includes physical-context cases (ASI09 with humanDetected: true forcing tier escalation) that AGT could adapt for its own physical agent coverage.

On the collaboration offer: still open. A PhysicalConstraintPolicy schema extension and a reference SINT ↔ AGT integration bridge are the two highest-value touchpoints. The shared fixture format could be a starting point — our JSON schema is MIT-licensed and designed to be implementation-agnostic.